has anyone ever gotten DKIM running on EFA working?
mine seems to work perfectly and yet none of the DKIM signatures are valid. I've used a few testers i.e. send email to: check-auth@verifier.port25.com and it always fails with:

I've googled the matter, some advised to turn off watermarking but that didn't make a difference, I tried sending HTML / TEXT-only mails and both fail. I tried adding FixCRLF Yes to my opendkim.conf file but that didn't help either, my body hash simply never works out.

Sorry for the delay in responding, I'm slowly working my way backwards through old posts.

It works perfectly for me.

Without logging into your system and diagnosing your settings, I cannot say why you are having the problem while I am not. Something must be modifying the message after the dkim signing process which is why you getting the hash fails.

Sorry for this oversight, I had enquired about DKIm in a few threads. What finally got it working (not sure which one) was stopping any kind of signing emails and changing my DKIM key to 1024 as I had read some DNS servers having problems with a 2048 bit key. All working now.

I just found EFA and implemented it with success straight away - and so far I do love it.

At the moment I am combating OpenDkim and I have been able to make it work - but I was forced to disable in-line signing. Is there any way to run dkim whilst having signing enabled? Can the order be altered in any way to make dkim the last action happening (thereby the mail will not be changed which ruins the dkim verification) - or; is there any documentation on setting up an additional Postfix instance to handle outgoing email with dkim signing?

I have googled - but cannot find a proper solution. Thank you kindly for any insight.

@ulfthomas: I just wanted to confirm that I had the exact same problem and solution. I didn't find any other option than to completely disable inline signing.

I have spent the last few hours trying to work my way around this by duplicating the existing postfix instance in EFA to handle all outgoing mail. I have - just this minute actually - been successful in this attempt. I now have a working postfix that receives all outbound email, stamps the DKIM and delivers it.

Now I have to figure out how to do inbound dkim verification since all mail is being received by the original postfix but all dkim operations are being used by the new. Wish me luck.

@ulfthomas: I just wanted to confirm that I had the exact same problem and solution. I didn't find any other option than to completely disable inline signing.

I have spent the last few hours trying to work my way around this by duplicating the existing postfix instance in EFA to handle all outgoing mail. I have - just this minute actually - been successful in this attempt. I now have a working postfix that receives all outbound email, stamps the DKIM and delivers it.

Now I have to figure out how to do inbound dkim verification since all mail is being received by the original postfix but all dkim operations are being used by the new. Wish me luck.

So - after much googling and trial and error this is my setup now - which works with in-line signing:

Postfix Main
- This is the original Postfix instance on EFA (with config modifications)
- Performs all spam-related verification including DKIM and DMARC
- Configured with Postfix SMTP as smart host

Postfix SMTP
- The new Postfix instance (a copy of the original with config modifications)
- Signs DKIM only on outbound email

OpenDKIM
- Is called from both Postfix instances
- Trick was to make it ignore mail from internal mail server:
-- this enabled outbound emails to be signed only by Postfix SMTP
-- and it enabled DKIM verifications to be handled by Postfix main

I have not been using EFA for long and this might not be the preferred way to do this - but for me it works. All tests done on dkim, spf and dmarc are now reported as successful and all inbound email are being scanned and stamped properly.

If others would like to know the setup I will be happy to do a config write-up of this - so let me know.

This is quick write-up of how I switched from one to two postfix instances primarily to solve proper dkim-signing of outbound email together with the additions of the EFA spam-links. The background for doing this was that emails were being signed by dkim before EFA inserted the links hence dkim verification would fail since the email would be changed after it was signed. My setup results in dkim being signed as the final operation before the mail is sent to the internet.

Please note:
- both postfix instances are utilizing the same instances of opendkim and opendmarc which requires some specific configration. This is highlighted in the write-up.
- In the configuration files I have replaced any information pertaining to my setup. Please read them and modify accordingly before saving your configuration files.

Mail flow:
- Exchange using MAIN as smart host
- MAIN using SMTP as smart host
- SMTP delivers mail to the internet
- MAIN receives mail from the internet

Final setup (outbound):
1: Mail sent from Exchange to MAIN
3: DMARC on MAIN (see note 1)
4: MailScanner on MAIN as per default configuration
5: Mail sent to SMTP
6: DKIM on SMTP (see note 1)
7: Mail leaving my setup

Final setup (inbound):
1: Mail received by MAIN
2: DMARC on MAIN (see note 1)
3: DKIM on MAIN
4: MailScanner on MAIN
5: Mail delivered to internal mail server

As a general warning: I am no expert in Linux which resulted in me not finding out about postmulti until I had a working setup using this manual approach. I will consider redoing my setup using postmulti at a later stage.

Setup

1: Install opendkim
- Kudos to pdwalker for supplying the instructions.
- Make sure it works before proceeding

2: Install opendmarc
- Kudos to thewomble for supplying the instructions.
- Make sure it works before proceeding

Read the comments pertaining to PeerList to learn how to ignore your entire internal network should you so please.

NoFilterHost was not part of the install documentation I used to install opendkim, but I added it to be able to ignore my internal mail server. I would also like to point out that I am using the same DKIM details to sign all my domains - this can be achieved by merely duplicating the information contained in the files KeyTable and SigningTable.

12 Verification
Tail your /var/log/maillog file and verify that all services are starting properly - and make sure they do before attempting to verify mail flow.

13 Send mail from your internal mail server to the internet
- Make sure it is received by MAIN, scanned and sent to SMTP
- Make sure SMTP receives it, DKIM signs it and sends it to the internet

14 Send an inbound email
- Make sure it is received by MAIN, verified and sent to your internal mail server

Note 1
MAIN and SMTP are both using the same DMARC and DKIM instances. Both DKIM and DMARC are therefore configured to ignore emails from the internal mail server because 1) MAIN will never have to verify nor sign any emails originating on the inside and 2) SMTP will never receive any emails from the internal mail server (as it is the smart host for MAIN only). This configuration allows MAIN to verify all inbound email using DKIM and DMARC whilst SMTP does all outbound DKIM signing. Also - since SMTP is doing only DKIM signing I have removed the DMARC service all together from this postfix instance. My reasoning for setting it up this way was to leave as much as possible on the original EFA whilst only having the secondary doing outbound DKIM-signing.

------ End Write-up ------

I have checked spelling, order and config files many times over and hopefully I haven't missed anything or done something all together outrageous.

If you find any issues, have questions or would like to improve on my setup (Aside from postmulti that is ) - please leave a comment. And as I said - I am no Linux expert but I will try to answer any questions you might have.

//UlfThomas

------ Version control ------
23/11: Visual changes only by formatting additional sections as code

Last edited by ulfthomas on 23 Nov 2017 09:00, edited 1 time in total.